[openssl-commits] [openssl] master update

Rich Salz Fri, 16 Jun 2017 14:02:00 -0700

The branch master has been updated
       via  837f87c217fd595c814c4e1ab47ec1842d29b60d (commit)
      from  6ea3bca427b3e759939a63555821d0c4678dd79c (commit)



- Log -----------------------------------------------------------------
commit 837f87c217fd595c814c4e1ab47ec1842d29b60d
Author: Paul Yang <paulyang....@gmail.com>
Date:   Fri Jun 16 18:12:02 2017 +0800

    Forbid to specify -nextprotoneg if -tls1_3 is enabled
    
    This applies both to s_client and s_server app.
    
    Reaction to Issue #3665.
    
    Signed-off-by: Paul Yang <paulyang....@gmail.com>
    
    Reviewed-by: Matt Caswell <m...@openssl.org>
    Reviewed-by: Rich Salz <rs...@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/3697)

-----------------------------------------------------------------------

Summary of changes:
 apps/s_client.c       | 6 ++++++
 apps/s_server.c       | 6 ++++++
 doc/man1/s_client.pod | 1 +
 doc/man1/s_server.pod | 1 +
 4 files changed, 14 insertions(+)

diff --git a/apps/s_client.c b/apps/s_client.c
index 8af3853..ad0eaec 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -1424,6 +1424,12 @@ int s_client_main(int argc, char **argv)
     if (argc != 0)
         goto opthelp;
 
+#ifndef OPENSSL_NO_NEXTPROTONEG
+    if (min_version == TLS1_3_VERSION && next_proto_neg_in != NULL) {
+        BIO_printf(bio_err, "Cannot supply -nextprotoneg with TLSv1.3\n");
+        goto opthelp;
+    }
+#endif
     if (proxystr != NULL) {
         int res;
         char *tmp_host = host, *tmp_port = port;
diff --git a/apps/s_server.c b/apps/s_server.c
index 26947c3..930ef6e 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -1536,6 +1536,12 @@ int s_server_main(int argc, char *argv[])
     argc = opt_num_rest();
     argv = opt_rest();
 
+#ifndef OPENSSL_NO_NEXTPROTONEG
+    if (min_version == TLS1_3_VERSION && next_proto_neg_in != NULL) {
+        BIO_printf(bio_err, "Cannot supply -nextprotoneg with TLSv1.3\n");
+        goto opthelp;
+    }
+#endif
 #ifndef OPENSSL_NO_DTLS
     if (www && socket_type == SOCK_DGRAM) {
         BIO_printf(bio_err, "Can't use -HTTP, -www or -WWW with DTLS\n");
diff --git a/doc/man1/s_client.pod b/doc/man1/s_client.pod
index 9f6084d..57fa920 100644
--- a/doc/man1/s_client.pod
+++ b/doc/man1/s_client.pod
@@ -564,6 +564,7 @@ for example "http/1.1" or "spdy/3".
 An empty list of protocols is treated specially and will cause the
 client to advertise support for the TLS extension but disconnect just
 after receiving ServerHello with a list of server supported protocols.
+The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used.
 
 =item B<-ct|noct>
 
diff --git a/doc/man1/s_server.pod b/doc/man1/s_server.pod
index 6f22797..5f6054a 100644
--- a/doc/man1/s_server.pod
+++ b/doc/man1/s_server.pod
@@ -609,6 +609,7 @@ The B<val> list is a comma-separated list of supported 
protocol
 names.  The list should contain the most desirable protocols first.
 Protocol names are printable ASCII strings, for example "http/1.1" or
 "spdy/3".
+The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used.
 
 =item B<-engine val>
 
_____
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

Reply via email to